[wasm][interpreter] Check signature before getting code

On indirect function calls, if the corresponding table entry is empty, we cannot call {GetCodeFromStartAddress}. In that case, the signature check will fail anyway, so perform the signature check first, and only get the code object if the check succeeds. R=mstarzinger@chromium.org Bug: chromium:831463 Change-Id: Iead949e4c12502b1a2a3949db2dabab4a184a1e7 Reviewed-on: https://chromium-review.googlesource.com/1005005Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#52542}

[wasm][interpreter] Check signature before getting code
On indirect function calls, if the corresponding table entry is empty, we cannot call {GetCodeFromStartAddress}. In that case, the signature check will fail anyway, so perform the signature check first, and only get the code object if the check succeeds. R=mstarzinger@chromium.org Bug: chromium:831463 Change-Id: Iead949e4c12502b1a2a3949db2dabab4a184a1e7 Reviewed-on: https://chromium-review.googlesource.com/1005005Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#52542}
be1a2316 · Clemens Hammacher · Commit Bot · 3953955a · be1a2316 · be1a2316
Commit be1a2316 authored Apr 11, 2018 by Clemens Hammacher Committed by Commit Bot Apr 11, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 26 additions and 4 deletions

wasm-interpreter.cc src/wasm/wasm-interpreter.cc +4 -4

regress-831463.js test/mjsunit/regress/wasm/regress-831463.js +22 -0

No files found.
--- a/src/wasm/wasm-interpreter.cc
+++ b/src/wasm/wasm-interpreter.cc
@@ -2408,14 +2408,14 @@ class ThreadImpl {
    Handle<WasmInstanceObject> instance;
    {
      IndirectFunctionTableEntry entry(*instance_object_, entry_index);
-      instance = handle(entry.instance(), isolate);
-      code = isolate->wasm_engine()->code_manager()->GetCodeFromStartAddress(
-          entry.target());
-
      // Signature check.
      if (entry.sig_id() != static_cast<int32_t>(expected_sig_id)) {
        return {ExternalCallResult::SIGNATURE_MISMATCH};
      }
+
+      instance = handle(entry.instance(), isolate);
+      code = isolate->wasm_engine()->code_manager()->GetCodeFromStartAddress(
+          entry.target());
    }

    // Call either an internal or external WASM function.

--- a/test/mjsunit/regress/wasm/regress-831463.js
+++ b/test/mjsunit/regress/wasm/regress-831463.js
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --wasm-interpret-all
+
+load("test/mjsunit/wasm/wasm-constants.js");
+load("test/mjsunit/wasm/wasm-module-builder.js");
+
+const builder = new WasmModuleBuilder();
+const sig = builder.addType(kSig_i_i);
+builder.addFunction('call', kSig_i_v)
+    .addBody([
+      kExprI32Const, 0, kExprI32Const, 0, kExprCallIndirect, sig, kTableZero
+    ])
+    .exportAs('call');
+builder.addImportedTable('imp', 'table');
+const table = new WebAssembly.Table({element: 'anyfunc', initial: 1});
+const instance = builder.instantiate({imp: {table: table}});
+assertThrows(
+    () => instance.exports.call(), WebAssembly.RuntimeError,
+    /function signature mismatch/);